6 Replies Latest reply: Apr 25, 2012 1:06 PM by DelVonte RSS

    i cannot access to internet behind asa

    Mohamed

      hello for all

      i bought cisco asa 5540
      i have cisco router 2811 with static ip
      84.219.22.96/30
      and make nat to conected to internet pat nat
      and have
      84.219.22.80/29 for exchange server

       

      i want to confiure asa behind router
      i mean leave all configure on cisco router
      when i make out side and inside lan all is ok
      but all pc conected on inside interface of asa 5540 cannot access to internet
      and also cannot ping from pc ip on interface outside i permet icmp in servise poilcy and incpection icmp
      but i mean no conection not ping only
      my senaro

      lan------------------ asa -------------------- cisco router ----------internet

       

      i will post configration for asa

      ASA Version 8.4(2)
      !
      hostname ciscoasa
      enable password 8Ry2YjIyt7RR24 encrypted

       

      !
      interface GigabitEthernet0/0
      nameif outside
      security-level 0
      ip address 192.168.193.3 255.255.255.0
      !
      interface GigabitEthernet0/1
      nameif inside
      security-level 100
      ip address 192.168.191.1 255.255.255.0
      !
      interface GigabitEthernet0/2
      shutdown
      no nameif
      no security-level
      no ip address
      !
      interface GigabitEthernet0/3
      shutdown
      no nameif
      no security-level
      no ip address
      !
      interface Management0/0
      nameif management
      security-level 100
      ip address 192.168.1.1 255.255.255.0
      management-only
      same-security-traffic permit inter-interface
      same-security-traffic permit intra-interface
      access-list OUTSIDE extended permit ip any any
      access-list inside_access_in extended permit ip any any
      access-list cap extended permit icmp any host 4.2.2.2
      access-list cap extended permit icmp host 4.2.2.2 any
      access-group OUTSIDE in interface outside
      access-group inside_access_in in interface inside
      route inside 0.0.0.0 0.0.0.0 192.168.193.2 1

       

       

       

      policy-map global_policy
      class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
      inspect icmp error
      my router access to internet and all lan access to intenet without asa

      so what is missing or wrong conigration to access to internet

      best regards

        • 1. Re: i cannot access to internet behind asa
          DelVonte

          What does your router config look like? Also, are there other internal networks? If so, you will need to create routes for those networks?

          • 2. Re: i cannot access to internet behind asa
            Mohamed

            this is my router conig

            can u correct my asa config

            router#show running-config                            
            Building configuration...                        

            Current configuration : 6218 bytes                                 
            !
            version 15.0           
            service timestamps debug datetime msec                                     
            service timestamps log datetime msec                                   
            no service password-encryption                             
            !
            hostname router                 
            !
            boot-start-marker                
            boot-end-marker              
            !
            logging buffered 51200 warnings                              
            !
            no aaa new-model               
            !
            no ipv6 cef          
            ip source-route              
            ip cef     
            !
            !
            !
            ip dhcp pool Internet                    
               network 192.168.193.0 255.255.255.0                                     
               default-router 192.168.193.2                              
               dns-server 84.235.6.55 84.235.57.230                                      
               lease infinite                
            !
            !
            ip domain name                           
            ip name-server 84.235.6.55                         
            ip name-server 84.235.57.230                           
            multilink bundle-name authenticated                                  
            !
            !
            !
            crypto pki trustpoint TP-s                        
            enrollment selfsigned                     
            subject-name cn=IOS-Self-Signed-Certificate-4038588294                                                      
            revocation-check none                     
            rsakeypair TP-self-signed-4038588294                                    
            !
            !
            crypto pki certificate chain TP-self-signed-4038588294                                                     
            certificate self-signed 01                          
              3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030                                                                        
              31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274                                                                        
              69666963 6174652D 34303338 35383832 3934301E 170D3131 30393037 31303535                                                                        
              34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 0313                                                                  
              4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30333835                                                                        
              38383239 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281                                                                        
              8100B026 8B479786 27010FB7 C47A39BB 3563AFD5 437FFB78 C1F1456A 82691CC9                                                                        
              CE3B4F97 B1D62C35 9E8AF0D1 3BF4B6C2 164705D5 1A41E85E 99B82F97 0E2BB08D                                                                        
              334A5172 ACDC16D6 66B1F2FF 8D579642 F15F4560 3E064E40 5FE83AA8 C6363E06                                                                        
              7A37355A CBBC2A81 A3786FEA 7125DA64 B74E7082 20834C8A EA81A2B7 32EC1048                                                                        
              7D0B0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 302106                                                                     
              551D1104 1A301882 164E616A 72616E4D 4F492E73 61756469 2E6E6574 2E736130                                                                        
              1F060355 1D230418 30168014 4E6C9815 D28A155B 0D8CB718 CCE74CE2 58D68621                                                                        
              301D0603 551D0E04 1604144E 6C9815D2 8A155B0D 8CB718CC E74CE258 D6862130                                                                        
              0D06092A 864886F7 0D010104 05000381 8100540A 521F52E2 F16C92CE E3A457E8                                                                        
              872D998E E702075A 8383D506 EC9A3207 36C1351F BA3A0676 1491D6C8 33C35B54                                                                        
              B733FC86 78B0B7A9 AB4DFB5D 7F495B94 62945799 724CF137 2D5CF0BB 629DBBD2                                                                        
              CCD13350 FED2676B 994983CD 85CAA52E 9CC7A08F 3F8DBBF8 EB6641FF 39D765                                                                     
              2B1A0051 3BCDFA32 DF12A97D 6641B29D 78BA                                         
                    quit           
            license udi pid C3900-SPE100/K9 sn FOC15074HMG                                             
            !
            !
            username cisco privilege 15 secret 5 $1$bBcM$DG8ZzlbJPMbKIGwsswNSN1                                                                  
            !
            !
            !
            !
            !
            !
            interface GigabitEthernet0/0                           
                                                
            no ip address             
            ip virtual-reassembly                     
            duplex full           
            speed auto          
            no keepalive            
            !
            interface GigabitEthernet0/0.3130                                
            description NJRNJNAD-RYAD16_34 DIA1                                   
            encapsulation dot1Q 3130                        
            ip address 84.235.40.xx 255.255.255.252                                       
            ip nat outside              
            ip virtual-reassembly                     
            !
            interface Gigab            
            description "Connection to internal LAN"                                        
            ip address 192.168.193.2 255.255.255.0                                      
            ip nat inside             
            ip virtual-reassembly                     
            duplex full           
            speed auto          
            media-type rj45               
            no keepalive            
            no cdp enable             
            !
            interface GigabitEthernet0/2                           
            no ip address             
            shutdown        
            duplex auto           
            speed auto          
            !
            no ip forward-protocol nd                        
            !
            ip http server             
            ip http access-class 23                      
            ip http authentication local                           
            ip http secure-server                    
            ip http timeout-policy idle 60 life 86400 requests 10000                                                       
            !
            ip nat pool smtp_nat 84.235.81.x0 84.235.81.x0 netmask 255.255.255.248                                                                     
            ip nat inside source list 101 interface GigabitEthernet0/0.3130 overload                                                                       
            ip nat inside source list 102 pool smtp_nat overload                                                   
            ip nat inside source static tcp 192.168.193.3 25 84.235.81.x0 25 extendable                                                                          
            ip nat inside source static tcp 192.168.193.3 80 84.235.81.x0 80 extendable                                                                          
            ip nat inside source static tcp 192.168.193.3 443 84.235.81.x0 443 extendable                                                                            
            ip nat inside source static tcp 192.168.193.3 587 84.235.81.x0 587 extendable                                                                            
            ip route 0.0.0.0 0.0.0.0 84.235.40.xx                                    
            ip route 10.64.0.0 255.255.0.0 192.168.193.3                                         
            !
            access-list 23 permit 10.10.10.0 0.0.0.7                                       
            access-list 101 deny   tcp host 192.168.193.3 any eq smtp                                                        
            access-list 101 deny   tcp host 192.168.193.3 any eq 587                                                       
            access-list 101 permit ip 192.0.0.0 0.255.255.255 any                                                    
            access-list 102 permit tcp host 192.168.193.3 any eq smtp                                                        
            access-list 102 permit tcp host 192.168.193.3 any eq 587                                                       
            access-list 102 deny   ip any any                                
            !
            !
            !
            control-plane            
            !

            • 3. Re: i cannot access to internet behind asa
              Mohamed

              http://www3.0zz0.com/2012/04/18/20/942543723.jpg 

               

              this is digram for network

              • 4. Re: i cannot access to internet behind asa
                DelVonte

                I'm not positive, as I only glanced at your config, but it looks like the router doesn't have a route for the 192.168.191.0 /24. 

                • 5. Re: i cannot access to internet behind asa
                  Mohamed

                  u mean problem just add route in cisco router

                  ??????

                  • 6. Re: i cannot access to internet behind asa
                    DelVonte

                    Yes, a route on the router for your LAN network, as it does not have one.